cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
711
Views
0
Helpful
5
Replies

Cisco ISE 3315 standalone to 3415 Distributed - Procedure

Arjun176
Level 1
Level 1

Hi,

 

I wanted to replace the existing 3315 hardware to 3415 or higher hardware.

The existing 3315 device is configured in standalone mode and I got 2 new 3415 and am planning to deploy in distributed mode.

What will be the best approach to migrate from 3315 to higher model in the below mentioned (high level) procedure. please suggest

 

Procedure 1 :

1. Make the 3315 as primary node.

2. Configure one of the 3415 hardware with 1.4 ise version and configure the device as secondary node.

3. Sync the configuration from 3315 primary to 3415 secondary.

4. And remove the 3315 from network.

 

Procedure 2 :

1. Configure 3415 with ise version 1.4.

2. Take the backup of existing 3315 and apply to 3415 device.

3. Shut the ports of 3315 and make the 3415 as the active device.

 

Procedure 3 :

1. Do a parallel built with 2 x 3415 device in distributed mode with different ip address.

2. Configure the New 3415 as the backup radius server.

3. Make all the network device to failover over to 3415 ise setup .

4. Remove the 3315 from the Network

 

 

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
Looks like you have a duplicate post, I will provide the same guidance as the other.

Any of the options you listed would work. In procedure 3, if you build a parallel deployment then you do not need to make it the backup radius server in step 2. I would reconfigure the devices to point at the 3415 deployment for both primary and secondary. Once all NADs had been migrated/reconfigured I would shut down the 3315 node. It sounds like network devices would only have a single radius server configured? If so, they will need to be reconfigured anyways to include a primary/secondary server, the parallel deployment would be ideal.


I also want to bring your attention to a couple items as I think doing this work on 1.4 would be shortsighted.

ISE 1.4 has until September 2020 at which point it will no longer be supported by TAC. As of September 2018 it is no longer being maintained, there will be no further patches. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-738841.html

The 3415's end of HW support is Oct 2021, so the hardware still has some time left, something to keep in mind.

I might suggest looking at upgrading to ISE 2.2 at the same time leveraging procedure 2 ad 3. ISE 2.2 and 2.4 are both long term support releases, but your 3415 hardware is not in spec to run 2.4. While you could go to ISE 2.3, end of support has been announced already for June 2020 which is before ISE 1.4. Seeing as ISE 2.2 will outlive both releases, and the 3415 hardware, it might be worthwhile looking at the upgrade.

View solution in original post

5 Replies 5

MajidShirzadeh
Level 1
Level 1

Any specific reason you are using 1.4 version ?

Damien Miller
VIP Alumni
VIP Alumni
Looks like you have a duplicate post, I will provide the same guidance as the other.

Any of the options you listed would work. In procedure 3, if you build a parallel deployment then you do not need to make it the backup radius server in step 2. I would reconfigure the devices to point at the 3415 deployment for both primary and secondary. Once all NADs had been migrated/reconfigured I would shut down the 3315 node. It sounds like network devices would only have a single radius server configured? If so, they will need to be reconfigured anyways to include a primary/secondary server, the parallel deployment would be ideal.


I also want to bring your attention to a couple items as I think doing this work on 1.4 would be shortsighted.

ISE 1.4 has until September 2020 at which point it will no longer be supported by TAC. As of September 2018 it is no longer being maintained, there will be no further patches. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-738841.html

The 3415's end of HW support is Oct 2021, so the hardware still has some time left, something to keep in mind.

I might suggest looking at upgrading to ISE 2.2 at the same time leveraging procedure 2 ad 3. ISE 2.2 and 2.4 are both long term support releases, but your 3415 hardware is not in spec to run 2.4. While you could go to ISE 2.3, end of support has been announced already for June 2020 which is before ISE 1.4. Seeing as ISE 2.2 will outlive both releases, and the 3415 hardware, it might be worthwhile looking at the upgrade.

hi,

 

Thanks for your suggestions, we have decided to buy 3595 appliances.

Is it possible to copy the configuration/backup from 3315 ISE 1.4 version and restore the backup on 3595 ISE 2.1 or latest version

You wont be able to restore 1.4 directly to the current recommend release, 2.4.  It only supports backups taken from 2.0 and newer, so you would have to perform a jump upgrade.  You could stand a node on 2.1, restore the 1.4 backup, then take the 2.1 backup and restore it on a 2.4 node.  

Since you will be buying new nodes, it might be worth while looking at manually rebuilding the config, might take less time in a simple environment. 

Please go right to 2.4 it’s our golden long term release